marcan / certbot-external

Certbot plugin that uses an external shell script for domain validation
Other
50 stars 9 forks source link

OBSOLETE

With the removal of TLS-SNI validation, this plugin is obsolete. If you just need basic renewal hook support, you can use the built-in hook options present in recent versions of certbot. If you need more features, consider EnigmaBridge/certbot-external-auth in handler mode, which is inspired by this plug-in but also supports HTTP-01 and DNS-01 validation.

External shell script plugin for Let's Encrypt client

This plugin allows you to use a custom shell script to implement DVSNI validation for your domains. It should work with any conceivable server that supports TLS and SNI, and can also be used to perform DVSNI validation using a server (e.g. a web server) that is unrelated to the server that will be using the certificate (e.g. a mail server), as long as both share the same external IP address.

The example external-handler.sh supports DVSNI validation using nginx, in a setup where /etc/nginx/sites.d contains configuration files for each site. No existing configuration files are edited; instead, a new site config for the DVSNI challenge is created and then removed.

To install, first install let's encrypt (either on the root or in a virtualenv), then:

# python setup.py install
# cp external-handler.sh.example /etc/letsencrypt/external-handler.sh

To use, try something like this:

# certbot --agree-tos --agree-dev-preview \
    -a certbot-external:external \
    -d example.com certonly

This plugin only supports authentication, not installation, since it is assumed that the administrator will install the certificate manually. It can be used with the renewer too, but you'll have to wrap it with a script that checks whether any certificates were renewed and restarts the appropriate server(s) if needed.

Loosely based on the Let's Encrypt nginx plugin.